AfterDawn: Software downloads

Versie historie van OSForensics

<<Terug naar software beschrijving

Veranderingen voor v5.2.1000 - v5.2.1001

  • •Recent Activity ◦Fixed a crash that could occur when adding a filter when something other than "All" was selected in the treeview
  • •Triage wizard ◦Added "Manually carve files in unallocated clusters" suggested action
  • ◦Added "Generate new HTML report" and "Generate new PDF report" suggested actions.
  • ◦Fixed SysInfo "# commands completed" not updated properly on completion
  • ◦Fixed wording of several "Suggested Actions"
  • ◦Fixed BitLocker detection results appearing in System Information results
  • ◦'Manually search' suggested actions now automatically start the corresponding search
  • ◦Auto-generated HTML/PDF reports are now saved in separate "Triage PDF Report" and "Triage HTML Report" folders respectively
  • ◦Fixed underline/cursor/text colour confusion for list view text that are not links



Veranderingen voor v5.1.1003 - v5.2.1000

  • NEW Triage wizard
  • Wizard launch icon on Start page. Huge amount of data can now be rapidly collected by inexperienced users with single click.
  • Customize workflow
  • Now also removes icons from the Start page (and the menu)
  • It is possible to lock down the workflow with a password so inexperienced users can’t re-enable all the features so easily.
  • Case Manager
  • Items added to a case can now be categorized into a type of Crime, this list can be customised by editing the "Categories.txt" file in the ProgramData folder.
  • On the "add to case" dialog when using the "Use same details for all" option if the title has not been changed by the user a special flag will be displayed. This will then be replaced by each item's name when added to the case.
  • PDF reporting bug fix.
  • Fixed sorting by clicking on title in Case Management window.
  • Added new tag to customisable reports for generating Case Info table. Only non-blank fields shall be outputted
  • File Index
  • Fixed a buffer overflow bug due to illegally long filenames in ZIP files
  • Recent Activity
  • Started sanitising the HTML output for some items when exporting to HTML so that HTML special characters (eg <>&) are safely encoded.
  • Thumbnail Viewer
  • Now has a faster option to switch between the various thumbnail files found on drive via a drop down list.
  • Drive preparation
  • 1 click drive preparation function. Can wipe, verify, format drive with 1 click. A log file is also now written to the drive recording the preparation steps.
  • Hash Set Lookup
  • Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not calculated. This saves a small amount of CPU time.
  • Email viewer
  • A bug fix for parsing some rare corrupted PST flies
  • Misc
  • Correction of various multi-threading bugs, which came to light when running a large number of tasks simultaneously.
  • Registry access code wasn’t thread safe & could crash if multiple tasks were reading registry entries at same time, especially password recovery.
  • Caching of disk’s MFT into RAM didn’t work well with multiple threads. Solution was to enlarged cache slightly and unified it into a shared cache. Multiple threads should run significantly faster than before.
  • Some handles to various internal resources were not being free. Resulting in memory leaks and possible crashes.
  • Even larger cache sizes and more advanced cache lookup algorithm to speed up various operation that involve reading MFT (is a RAM usage / speed trade off). Slightly more RAM is used, but disk operations are faster. For example file name searches are now 33% faster.
  • Some help file updates
  • Fixed up the opening of the Help file to get the navigation menu showing again. The Edge browser in Win10 unexpectedly broke some of the help functions.
  • Fixed a crash in the 32bit version when trying to start a filename search



Veranderingen voor v5.1.1002 - v5.1.1003

  • •File Index
  • ◦New Zoom indexer build, fixed bug that was failing to index particular .OST and .PST files with compression.
  • •File Name Search
  • ◦Fixed a crash which could occur in the hash set lookup function when the hash set being searched contained very long string lengths.
  • ◦Thumbnail View, flags are now custom drawn to increase the speed when updating path flags, for example when doing hash matching.
  • •Hash Lookup
  • ◦Added support for 'Modeless' dialogs for hash lookup for multiple files. This allows other modules in OSF to be used simultenously with hashing in background.
  • ◦Fixed dialog resizing screen corruption issues in the hashset lookup window
  • ◦Reduced the frequency of update to the user interface when hash operation is running to improve speed. It looks slower, but is actually much much faster.
  • ◦When performing a hash set lookup for multiple files, 4 threads and a larger block sizes for disk reads are now used in order to increase performance. For large hashsets, with a fast SSD, performance improved 5 fold.
  • ◦Added a limit of 1000 file set matches returned for a single file hash lookup. So 1 file on disk can now not match more than 1000 applications. Previously a zero length file would match 500,000 applications in NSRL list.
  • ◦Added a limit of 5 file set matches returned for multiple file hash lookups file set results a hash set lookup for a single file will return which improves speed dramatically when hash set or files being looked up contain matches in multiple files sets (eg when searching for file hashes in a set containing millions of records such as NSRL hash sets)
  • ◦Added caching of 0 byte / empty (contains only 0's) files to speed up multiple hash set lookups. Zero length files appear around 5000 times on a typical hard drive. So this can save 5000 slow database queries.
  • •Hash Sets
  • ◦Added a "Properties" right click menu item to display a dialog with some information about the hash set (disk location, number of product types, file sets, files).
  • •Password recovery
  • ◦ Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character
  • •Recent Activity
  • ◦Fixed a bug where shellbag information was not being retrieved correctly when using “Scan drive” C: instead of live acquisition.
  • ◦Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character
  • ◦Fixed a bug where the last connected date of a USB item could be different in Live search when compared to a C:\ search



Veranderingen voor v5.1.1001 - v5.1.1002

  • Add File To Case function
  • The copied files in the case folder should now have the same filetimes as the original source file.
  • Case Manager
  • Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
  • Case meta item file, added two additional fields (where available): Last Access Date, MFT Modified Date
  • Deleted Files Search
  • Fixed changing of 'Date filter' combo box in Timeline view not updating the chart
  • File Indexer and searching
  • New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of EML/MBOX files
  • Internal Viewer
  • Fixed info text for files that belong to the case
  • When opening a file added to a case, the original folder and file times are now displayed (obtained from the OSFMeta file). These attributes are highlighted in a different colour along with an information text.
  • For image files, size and file times have been removed
  • Internal Viewer - Hex View
  • Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard + compressed notation
  • Recent Activity
  • Updated installer to include an alternate version of esentutl to use in the case of "Dirty shutdown (-550)" errors for ESEDB databases (eg from Windows search, Edge) that could sometimes cause the esentutl version installed locally to crash leaving the files in an unreadable state
  • Misc
  • Updated help file with internal viewer changes



Veranderingen voor v5.0.1002 - v5.1.1001

  • Case Manager
  • Fixed bug when specifying a custom location for a case.
  • V5.1.1000 - 6th of July 2017
  • Case Manager
  • Added ".mem" extension when selecting image file to add to case
  • Chain of Custody Report Template - Rearranged template fields, added signature field.
  • Generate Report - Allow option to generate Chain of Custody report along side Case Report.
  • Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to allow additional case data, such as Offense type, Legal Authority & Suspects Name to be entered.
  • Create Index
  • Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types' category. Note that only file name will be indexed.
  • Create Signature
  • Deleted files can now be included in the signature from the config window. Hashing is also supported for deleted files (but not for $I30 slack entries)
  • Compare Signature
  • File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
  • File icon is now included in the comparison results
  • Signature info now includes whether deleted files were scanned or not
  • Deleted Files
  • Fixed Bug where saving multiple files would fail to save files to destination.
  • File Carver - Unallocated Cluster code would not read from the disk when the cluster offsets did not reside on sector boundaries. File Carving initialization will check to see if start cluster offset is a factor of cluster size, if not, file carving will switch to raw carve mode.
  • File Carver - Addressed bug which might cause carving unallocated clusters to not to progress.
  • DirectAccess – NTFS
  • Added buffer overflow check when decompressing CompactOS files
  • Improved performance of checking for valid $ATTR_FILENAME attribute when looking for $I30 slack entries
  • Improved performance of FindFirstDel/FirstNextDel functions
  • Fixed bug with not resetting the file pointer when detecting imageUSB image file. This could result in volume hashes returning the wrong value when verify the hash of a volume (a few bytes that the start of the file were not included in the hash calculation).
  • Email Viewer
  • Fixed HTML/RTF message body not being searched
  • File Name Search
  • Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files are included in the search results.
  • Deleted files are now shown in different text colour and with a deleted icon overlay in 'File List' view. Right click options for viewing files was also added.
  • Deleted files are now shown as a separate group in 'Timeline' view
  • Added more file details when exporting the file list to txt/html/csv file
  • Added support for adding/removing deleted files to/from case
  • Added support for looking up deleted files in hash set
  • Added support for saving deleted files to disk from File Name Search module.
  • File System Browser
  • Fixed 'n item(s) checked' still appearing after changing the folder
  • Added right-click menu option to export list of checked files to Case
  • File times now include decimal precision
  • Removed checkboxes in 'File Select' dialog
  • 'File Select' dialog window size is now saved
  • Fixed auto-scrolling when sorting items
  • Internal Viewer - Hex View
  • Improved performance of string extraction by using parallel processing. Approximately a 60% speed improvement
  • Improved performance of filtering strings by using boyer-moore search & parallel processing. Can be more than twice as fast, depending on hardware
  • If using word list, included matched expression in status bar of selected string
  • When filtering the string list, the # of strings that have been processed is now displayed
  • Added option to save to .dic file for use with dictionary based password cracking
  • Moved filtering operation to thread due to length of operation. User may cancel the filtering operation at any time.
  • Changed preset filter combo box to a link which brings up a menu when clicked. The menu provides several preset filters, as well as an option to select a word list
  • Added 'Use RegEx' checkbox to allow user-specified regular expressions
  • MemViewer - Static Analysis
  • 'Memory dump file' filter now includes .bin, .img, .dmp extensions
  • Added 'View & Extract Strings' button to open the dump file in internal viewer in hex view
  • Thumbnail View
  • Fixed text colouring for Deleted/$I30 slack/Reparse point files
  • Misc
  • Updated help file
  • Improved performance of list classes by using multi reader single writer lock. Fixed some synchronization issues.
  • When selecting image files, the 'All Images' filter now shows all supported image files rather than all files



Veranderingen voor v5.0.1000 - v5.0.1002

  • Internal Viewer
  • Fixed a bug where attempting to open an archive (zip etc) file could result in a missing DLL message being displayed on older versions of Windows.
  • File Name Search
  • Fixed a buffer overflow that could sometimes cause a crash when displaying file names longer than 512 characters in the "Current folder" field. Crash can be appear randomly as field was only updated occasionally while a search was in progress.
  • Memory Viewer
  • Included updated version of Volatility Workbench into the install package. Volatility Workbench is a graphical user interface (GUI) for the Volatility tool.



Veranderingen voor v4.0.1002 - v5.0.1000

  • New PList Viewer
  • Added a new Plist viewer
  • Text foward/reverse search option.
  • For nodes that contain "data", added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).
  • NEW $UsnJrnl Viewer
  • Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
  • Added support for $MFT file lookup to determine full path
  • Added support for searching for subtext
  • Added right-click menu options for viewing file, exporting records and adding records to case
  • Added progress bar when parsing USN records, loading $MFT file and searching for subtext
  • Improved loading speed by searching for records from the end of the file
  • Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
  • Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT
  • Analyze Shadow Volume
  • Results can now be exported in HTML and CSV format
  • Added button to export results to case
  • Added right-click menu for exporting results
  • Case Manager
  • Added support for mounting file paths as a device in the case
  • Adding devices to case now supports adding local folders in addition to network paths. Renamed 'Network Path (UNC)' to 'Folder / Network Path'
  • When adding an image file to case, the 'Select partition' dialog has been updated to reduce confusion.
  • Added option to export $UsnJrnl records to report
  • Fixed index OOB error when exporting deleted files to report
  • Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
  • Fixed error message when viewing the properties of a Case Device
  • Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.
  • Compare Signature
  • Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).
  • Create / Verify Hash
  • Added secondary hash function to allow calculating 2 different hashes simultaneously
  • Deleted Files Search
  • Added right-click menu to re-arrange columns in Details View
  • Added 'Source' and 'File number' columns to details view
  • Directory records found in $I30 slack space are now included in the results
  • Records found in $I30 attribute in deleted MFT directory records are now included in the results
  • Fixed bug with misreported quality when multiple streams exist for the deleted file
  • "Save and Open" right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
  • When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
  • Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
  • Added *.msg to the search preset for e-mails
  • Drive Imaging
  • Fixed error copying single files to logical image due to directories not being created
  • Fixed file size of single file not included when calculating VHD image size
  • When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
  • Fixed bug with drive list in 'Create Image' tab containing devices from previous case after switching cases
  • Email Viewer
  • Fixed buffer overflow of 'From' field
  • Fixed heap corruption when opening .eml files with quoted printable encoded text
  • File Indexer and searching
  • New Zoom build with fixes for:
  • Fixed bug with indexing zero date as "23/04/2009 6:24:48"
  • Indexing "delivery time" for PST emails. Only index "submit time" if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
  • Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.
  • Fixed bug with Search Index -> Advanced settings' Date/Time range not being applied.
  • On History tab, when choosing right-click menu's "Display Search Results & Add to Case...", it will now export the list of results to the case along with adding the corresponding files.
  • File Name Search
  • Added right-click menu to re-arrange columns in Details View
  • Added *.msg to the search presets for e-mail
  • Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.
  • File System Browser
  • Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
  • Fixed text not appearing in icon/list view
  • Improved responsiveness when changing directories
  • Fixed bug with calculating folder size on disk for non-NTFS file systems
  • Fixed deadlock when multiple threads are accessing mounted devices simultaneously
  • Added right-click menu to re-arrange columns in Details View
  • When calculating folder sizes, stream sizes are now included
  • Added error messages when performing certain operations on $I30 slack items
  • Deleted artificats recovered from $I30 slack space can now be displayed.
  • Files that have reparse points are now displayed in green
  • Hash Sets
  • Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters
  • Internal Viewer / File and Hex Viewer
  • File Viewer tab, changed volume controls to trackbar + mute button
  • Added 'IP address' filter to Hex Viewer string extraction
  • When viewing buffers (eg. deleted files) in the "file viewer" tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a 'Unsupported file format' message is displayed.
  • Removed unnecessary saving of temporary files for file paths containing case devices
  • Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
  • Removed limit on the number of extracted strings
  • Added encryption, reparse point, sparse file, system compression attribute checkboxes
  • Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
  • Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
  • Memory Viewer
  • Added right-click menu to re-arrange columns of the process list
  • Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
  • Changed the extension for memory dummp files from .bin to .mem
  • Added tabs for 'Live Analysis' and 'Static Analysis'. Previous view has been moved to 'Live Analysis' tab. 'Static Analysis' allows the user to launch 'Volatility Workbench' process with the specified memory dump file.
  • Passwords
  • New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
  • Find Passwords & Keys: Added right-click menu to re-arrange columns
  • Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
  • Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
  • Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
  • Fixed a crash that could occur when searching Wifi profiles
  • Fixed possible crash when getting system passwords
  • Added more info to display, client thread status, benchmark, password length and prefix.
  • Prefetch Viewer
  • Fixed possible crash due to buffer overflow
  • Raw Disk Viewer
  • Added a list of preset regular expressions combo box that can be used when performing a raw search
  • Improved performance of search window list view
  • Removed max search results limit in search window
  • Fixed synchronization issues potentially resulting in crash
  • Recent Activity Viewer
  • Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a "Users" folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the "Documents and Settings" location.
  • Fixed a "missing column" error for old versions of Firefox cookies
  • Made some changes when trying to repair a "dirty" windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
  • Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User's Download directory for .torrent extensions.
  • Fixed Bug with P2P Items not showing details on the File List Tab
  • Added Search queries artifacts for Ares Galaxy
  • Added Shareaza P2P Search Artifacts.
  • Added Emule P2P Artifacts
  • Added SABnzbd P2P Artifacts
  • Report Templates
  • Combined 'Drive Imaging' and 'Forensic Copy' HTML template into a single 'Forensic Imaging' HTML template
  • Start Window
  • Renamed “Website Passwords” to “Scan for Passwords/Keys”
  • Renamed “Removable Drive Preparation” to “Drive Preparation”
  • Added icon for launching 'Volatility Workbench' under 'Viewers' group
  • System Information
  • Made some changes to the system information command dialogs, added columns to show "Live acquisition" / "Drive acquisition" / "Image acquisition" differences of commands
  • Web Browser
  • Fixed bug where saving the complete webpage was not working correctly
  • Misc
  • Changed date/time format to 24-hour clock
  • Fixed crash when Exception filter is executed
  • Moved 'Forensic Copy' module to 'Drive Imaging' module as a new tab. Renamed 'Drive Imaging' to 'Forensic Imaging'
  • Fixed 'Forensic Copy' and 'Drive Imaging' logs not appearing in generated report
  • Fixed some flickering issues when resizing
  • Updated File Name Search preset list to include Virtual Machine files
  • Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports "Unknown date".
  • When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
  • Added template files for exporting $UsnJrnl records to report
  • Fixed bug with the initial directory not being set correctly in the select file dialog
  • When prompted to select a file, the last directory path is now used as the initial directory if not specified
  • Fixed bug in handling alternate data streams with multiple $DATA attributes
  • Added support for accessing bitlocker encrypted drives in raw form
  • Updated HTML Editor to show character count.
  • External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
  • Performance increase when opening registry files
  • Fixed several potential crash points when closing the OSF application while the progress window is still showing
  • Added encryption, reparse point, sparse file, system compression attribute checkboxes
  • Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
  • Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
  • Updated help file with $UsnJrnl Viewer section
  • Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.



Veranderingen voor v4.0.1001 - v4.0.1002

  • •Activity Monitor ◦Added separate tasks for adding files to case
  • •Case Manager ◦ Fixed synchronization issues with hash table causing an exception to be thrown
  • ◦ Add file to case dialog has been changed to modeless, allowing the user to switch to another module while files are being added.
  • ◦ Added synchronization to CaseManager class to support concurrent access to case items
  • ◦ Added error message when creating/importing/loading/deleting a case while a task is still running
  • ◦ When closing the program, a warning dialog is displayed when any task is still running (as opposed to a select few tasks)
  • ◦ Fixed scroll bar being reset every time case items are added/removed
  • ◦ Adjusted the maximum text to 245K characters in the rich edit box for case narrative
  • ◦ Changed the case item list view to owner draw to improve performance
  • ◦ Decreased the time required to delete a large number of items from case
  • ◦ Fixed 're-use input' checkbox not working when adding bookmarked files to case
  • ◦ Added error message when attempting to add bookmarked folders to case
  • ◦ Increased the frequency of progress updates when adding multiple files to case
  • ◦ Case items are now sorted by date in ascending order by default
  • ◦ Fixed bug when attempting to overwrite an existing external report in case
  • ◦ Fixed non-existent case default drive appearing in drop down box when editing case
  • ◦ Improved performance of updating list items (eg. in File Search, Mismatch Search, Deleted Search) when case flags are updated
  • ◦ Fixed memory leaks in case log
  • •Decryption & Password Recovery ◦Added more info to display, client thread status, benchmark, password length and prefix. Adjusted job size for CPU clients.
  • •Deleted Files Search ◦Fixed junk characters showing up in error message when prompting to overwrite a file
  • ◦ Fixed case flags not being updated in thumbnail view
  • •Email Viewer ◦Fixed unhandled exception when failing to load e-mail file
  • •File indexing and searching ◦Fixed bug with Doc/Ppt/Xls indexing "last modified" as "Author". Will now prioritize "Author" and only index "Last modified" if "Author" is not available.
  • ◦ Added support for Comments property (appended to KEYWORDS meta tag) in DOC files, and support for "Category" property (as "ZOOMCATEGORY" meta tag) in PPT and XLS files
  • •Raw Disk Viewer ◦Fixed bookmarks showing up twice when reloading a case
  • •ThumbCache Viewer ◦ Fixed 'use same details for all' checkbox not working when adding to case
  • ◦ Due to changes in Win10, the 'name' column should now show the thumbnail cache ID in hex format (instead of a cryptic string)
  • •Misc ◦ Updated HTML Editor to show character count



Veranderingen voor v4.0.1000 - v4.0.1001

  • Case Manager
  • When generating report, fixed incorrect links being generated when 'Copy files' is checked
  • Improved the performance of adding items to case by performing the hash calculations all at once (rather than separately)
  • Improved the performance of updating case flags by not re-drawing the lists for File Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
  • Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window. However, as a result, the case narrative is prevented from being edited from the New Case dialog procedure.
  • Case Log Viewer
  • Improved the performance of adding new log entries
  • Decryption & Password Recovery
  • Added Openoffice (LibreOffice) extensions to select file dialog
  • Removed bell sound from gpu client, cpu client, and server and replaced with a different (chime) sound
  • Fixed typo in default definition file
  • Forensic Copy
  • Added a clear log button and started displaying the number of files copied
  • Reduced the amount of memory used substantially during the forensic copy process
  • Recent Activity
  • Added Time Source Column for 'All'



Veranderingen voor v3.3.1004 - v4.0.1000

  • Licence changes
  • Free version has been replaced by a 30 day trial
  • USB installation is now available only in the Pro version.
  • Changed the maximum number of items that can be indexed (in create index) to 2500 for the Trial version
  • Recent activity exported list is now limited to 10 items in the Trial version.
  • Changed the maxium number of browser passwords displayed to 5 per browser for the Trial version.
  • Password recovery
  • Wifi passwords are now recovered & decrypted from the registry and file system.
  • Windows auto-logon password are now recovered & decrypted from registry.
  • Outlook & Windows live mail passwords are now recovered & decrypted.
  • Microsoft product keys are extracted from the Windows registry
  • New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
  • Specific rows in the password report can now be selected for export or adding to the case.
  • GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
  • Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
  • New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
  • Added NTLM hash cracking to the common password check for the Windows login password
  • Added NTLM hash rainbow table generation.
  • User interface & work flow
  • It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
  • Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
  • New 'File Details' tab in several windows that displays the search results in a list view.
  • Recent activity artifacts
  • Added OS X artefacts to Recent Activity feature for Mac drives
  • Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
  • Updates in Recent Activity for newer browsers (including Edge)
  • Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
  • Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity
  • Added USB first connected time from parsing setupapi.dev.log
  • The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
  • GUI will show incrementing artefact count during the scan
  • File system support & imaging
  • exFAT is now a supported
  • Added read-support for .Ex01, .Lx01, and .L01 image formats
  • Improvements to HFS+ support for Macs.
  • Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
  • Added a log option for Forensics Copy
  • Added ability to supply multiple source paths when performing Forensic Copy
  • Owner/group/permissions are now preserved in Forensic Copy
  • Better exposed the function to compare shadow copies.
  • Memory viewer
  • The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
  • Handles and loaded Modules are displayed per process when available
  • Users can create Process Specific binary dumps through right click options and add to the case.
  • ESEDB Viewer
  • Dialog to select from a list of known files now shows the file size
  • Added right-click option to copy values (ie. cells) to clipboard
  • Added right-click option to view values (ie. cells) as binary data in the internal viewer
  • Added right-click option to export values (ie. cells) as binary data to file
  • Added right-click option to export values (ie. cells) as binary data to case
  • Added right-click option to export tables to case
  • Fixed some memory allocation issues when exporting tables that can cause a crash
  • Fixed horizontal scroll bar not appearing for some tables
  • Binary data is now displayed in byte groupings
  • Fixed a bug when retrieving a record multi-value
  • File name search
  • The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
  • Peer to peer file types have been added as a new pre-set search selection.
  • The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
  • Improved the default settings
  • Ability to group the search results by file type in 'File Details' view
  • When grouping the results by file type, the groups are collapsed by default
  • File indexing and searching
  • Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
  • Improved relevance scoring when hundreds of matches are found within the same file
  • Restored torrent file indexing which got accidentally broken in a past release.
  • Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
  • Improved search results layout
  • Fixed bugs when indexing meta data (title, keywords, etc) from DOC files
  • Reporting & Case Management
  • PDF output added.
  • New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
  • Added option to include file EXIF metadata in the report
  • Custom Logos are now easier to added
  • Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
  • Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
  • Reduced the time required to populate the list of log entries
  • Index search history is now loaded on demand to reduce case load time.
  • File size of the case item is no longer retrieved to reduce case load time
  • The default mount name for volume shadows now contains the index number
  • When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
  • When adding device to case, 'Case default device' checkbox is set by default
  • Improved error message when generating a report in a location that already contains an existing report
  • Fixed error when generating links in a report to a file that contains > 260 characters
  • Fixed forward slashes in links being escaped causing problems in some browsers (eg. Chrome)
  • Fixed error when deleting a read-only file from case
  • Fixed error when deleting a file with long file name from case
  • Added retry mechanism when attempting to add a file to case that is being used
  • When automatically adding files to case, added option to ignore future errors
  • Updated Report Templates to include the 'Case Activity Log' section in the main report
  • Added checkbox option to include 'Case Activity Log' into the main report
  • When generating a Case Log report, the exported log entries are exactly as displayed in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied)
  • Added a HTML Editor to allow user to modify case summary narrative. Can be located under "Edit Case Details".
  • Added progress bar when saving the case files to a folder before the case is deleted.
  • Added new report type 'Log Report' for Case Log reports
  • Shadow copies
  • Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:\) which would lead to it not being displayed on the analyze shadow copy dialog.
  • Added an Shadow Copy Analyze icon to start page
  • Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
  • Added a warning message when opening the analyze dialog if no shadow copies were added to the case.
  • System information
  • BitLocker Detection preset added to System Information
  • Updates to System information to detect new CPU types
  • Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.
  • Registry Hive viewer
  • Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
  • Dialog to select from a list of known files now shows the file size
  • Hashing
  • Button to add Hash results to case
  • Thumbnail database viewer
  • Fixed large memory usage when reading Win10 thumbcache files.
  • Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
  • Added to list of known thumbnail cache files
  • Replaced thumbnail size radio buttons with combo box
  • Dialog to select from a list of known files now shows the file size
  • Internal file viewer
  • Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
  • Can do screen capture from the File Viewer.
  • Email searching
  • Added BCC searching for Emails.
  • Additional details are indexed when indexing Emails (for some formats).
  • Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files
  • Deleted files
  • Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
  • Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
  • Ability to group the search results by file type in 'File Details' view
  • When grouping the results by file type, the groups are collapsed by default
  • Other changes
  • Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
  • Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
  • Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
  • Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
  • Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
  • Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
  • Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
  • Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
  • When loading the log file (secure log), a buffer is now used to speed up load time



Veranderingen voor v3.3.1003 - v3.3.1004

  • •Case Manager ◦Added warning when attempting to add the entire image to case when there is a partition table
  • ◦Allow the option to select the "entire image file" when adding images to case
  • •File Indexer ◦New Zoom builds with added recognition for extensions .plt and .dxf to index filename only
  • ◦Fixed stack/buffer overflow issue when indexing PST emails.
  • • Raw disk viewer ◦ When viewing the raw sectors of entire images, the partition table info is now decoded
  • •Search Index ◦Fixed special characters such as '&' in the filepath from the search results not being decoded properly
  • •Misc ◦Device dropdown list now includes the image file's partition (or "Entire image")
  • ◦Fixed bug with not being able to read the raw bytes of image files using UNC paths
  • ◦Accessing the entire image file with a valid partition table (ie. without specifying a partition) no longer returns error



Veranderingen voor v3.3.1002 - v3.3.1003

  • Email Viewer
  • Fixed stack overflow crash bug when saving MSG attachment with multiple levels of nesting
  • File Indexer
  • New Zoom indexer build, fixed a crash bug for nested MSG files within PST files



Veranderingen voor v3.3.1001 - v3.3.1002

  • Deleted Files - FileCarving
  • Fixed Crash. TIF file format has internal pointers to location within the file, when these pointer contains a corrupted/invalid value, it would possibly cause OSForensics to crash.
  • Added slider to configuration to allow selection of start and end percent/location of drive to carve.
  • Fixed possible crash when searching for HFS+ deleted files.
  • File Indexer
  • New Zoom build, fixed issues with not starting indexing on HFS image with "Invalid folder" errors.
  • Misc
  • Fixed retrieving file attributes on non-ntfs file systems
  • Fixed possible crash when access HFS+ filesystem
  • Added detection of file system for MBR partitions due to possible differences in reported partition type and actual file system



Veranderingen voor v3.3.1000 - v3.3.1001

  • Deleted Files Search
  • File Carving, naming of recovered carved files has been changed to "Carved (type) file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg
  • File name search
  • Fixed a bug that was preventing sort by foreground/background colour working correctly on results when OSForensics was using direct access (eg direct access of an image file)
  • Hash Sets
  • Fixed a crash when first trying to open the hash sets tab
  • Misc
  • Some help file updates



Veranderingen voor v3.2.1003 - v3.3.1000

  • Case Management
  • Increased Notes character limit to 64000 characters
  • Can now remove file from case in right-click menu
  • When adding an attachment to case that already exists, prompt the user to overwrite
  • Create Signature
  • E-mail files are no longer saved as temporary files when creating a hash of the file. This improves the speed when creating a signature.
  • Fixed wrong directory path being displayed especially when hashing large files.
  • Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown reading compressed files.
  • Compare Signature
  • When comparing file attributes, mask out the extra attributes used by OSForensics Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of modified files.
  • Deleted File Search
  • Added 'Remove deleted file from case' right-click menu option
  • Fixed search results clearing when flags are updated
  • Drive Preparation
  • Added WAIT icon to drive refresh, so user can see when refresh is complete.
  • Fixed physical drives are now supported, including system drive. However, if the system drive is selected, an error message is displayed
  • Drive Imaging
  • By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now checked.
  • Added option to attach Image metadata (.info) file to case on completion
  • Changed extension of Image metadata file from .info to .info.txt
  • Email Viewer
  • When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no longer created. This saves some time opening the file.
  • ESEDB viewer
  • Updated the Extensible Storage Engine database (ESEDB) viewer to support the new Win10 file structure.
  • Fixed list of records being cleared when attempting to access a page that is out of bounds
  • Fixed bug with non NULL-terminated string
  • Added sanity check for endianness for Vista DBs due to possibility of fields being either big or little endian
  • File Indexer
  • 12x increased unique words capacity (from 16 million base words to 200 million). Allows more documents to be indexed in a single index.
  • Approximate 5x faster Forensics Mode indexing. This resulted from better caching, better parsing of the MFT and new low overhead methods of getting file attributes.
  • Improved JPG, PNG image indexing speed with new methods of calling exiftool. Performance is approximately 5x faster on photographic images.
  • Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
  • Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE)
  • Improved file type identifications and attempted indexing methods. At lot fewer warnings and errors should now be logged when indexing.
  • Fixed 64-bit bugs with 7z64.dll
  • Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this error was caused by indexing E-mails that contained malware. The antivirus (AV) solutions running on machines would detect the malware on extraction of attachments from the E-mail and unexpectedly delete the temporary file, causing a cascade of errors. We have a work around for the errors, but active AV solutions can still prevent indexing of files containing malware. Which can be a good or bad thing depending on your point of view.
  • Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive
  • Fixed bugs with failing to extract files from certain problematic ZIPs and attempting every file (with magic and extraction and indexing) causing 3 error messages per file in the Zip file. Corrupted Zip files should no longer produce this cascade of errors.
  • Fixed crash bug with truncated MP3 files
  • Fixed OLE parsing bug when loading corrupted MSG Email file
  • Improved memory estimation of indexing, to better judge if there is sufficient RAM available to start the indexing job. No point starting an indexing job only to die half way through it.
  • File Name Search
  • Fixed 'Current Folder' not being correctly displayed
  • Fixed search results clearing when flags are updated
  • File System Browser
  • Display "(Sparse)" for the "Starting LCN" column of sparse files
  • Fixed incomplete folder size being displayed when folder size calculation is cancelled midway (eg. when items are being sorted)
  • Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster depending on collection of files.
  • Internal Viewer
  • File info: For reparse points the linked path is now displayed
  • No longer displays message box when failing to open file
  • Hex viewer, Display error message in the status bar when failing to open file
  • Mismatch Search
  • Fixed 'Current Folder' not being correctly displayed
  • Password Recovery
  • Fixed crash when writing an entry to the log
  • Windows Login - List views are now resized
  • Windows Login - Added 'Password Required' column to 'Local Users' table to indicate whether a password is required for login
  • Windows Login - Fixed crash when saving local users/domain users to file
  • Recent Activity
  • Added file type sub classification for Windows Search Items. Files are classified using the MIME type and extensions
  • Removed directories from Windows Search Items
  • Fixed Security event log entries not appearing in the results
  • Selected items in 'File Details' and 'File List' tabs are now independent of each other. This caused problems when the exported list of selected items contain items that were not selected
  • Re-arranged the order of tabs so that 'File Details' is the default tab.
  • Fixed scan status not displaying in 'File Details' view
  • Fixed sorting of items in 'File Details' view
  • flickering of tree view
  • Fixed error message appearing when JumpList is not selected in the scan
  • Fixed a shellbag retrieval crash in Windows 10
  • Fixed a jumplist crash in Windows 10
  • Fixed a bug preventing some jumplist items from being retrieved
  • Changed "Stream Number" jumplist item name to "Entry ID"
  • Fixed an offset bug when getting the name of a shellbag item in Windows 10 which caused names with invalid characters to appear
  • Updated function that retrieves Windows desktop search terms. The database format recently changed in Win10 and broke older releases of OSF.
  • Registry Viewer
  • Can switch between Hex, ASCII, Unicode in right-click menu
  • Hives under \Windows\System32\config\RegBack are now listed when selecting a registry hive to open
  • Added buttons for common operations (Add file, Add to case, Export, Find)
  • Fixed a crash when trying to view/open the SAM file in Windows 10
  • Search Index
  • Updated search engine code to support new increased capacity index format with extended unique words.
  • Added 'Remove item from case' right-click menu option
  • Fixed search results clearing when flags are updated
  • Thumbnail View
  • Improved performance of loading photographic image thumbnails in forensics mode. Is approx 10x faster.
  • Improved speed + memory usage when drawing thumbnails. Especially noticeable when scrolling the display, which should now be smoother.
  • Drive imaging
  • Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g. Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume size. The imaging process will now continue beyond the end of the file system to read the entire volume.
  • Misc
  • Fixed some memory leaks found by the leak checker
  • Licensing
  • In the free edition of the software,
  • The indexing process will be restricted to 10,000 files or E-mails.
  • The search results from an index will be limited to 250 files per search.
  • Only 10 items to be added to each Case file.
  • Only the first 10 passwords from each browser type will be listed in the passwords function
  • Installer
  • The installer package is now signed with an Extended Validation coding signing certificate. This avoids some SmartScreen installation warnings in Windows 10, like Windows "prevented an unrecognised app from starting".



Veranderingen voor v3.2.1002 - v3.2.1003

  • Create Index
  • Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo
  • Fixed indexing bug with repeated "Core engine not responding" messages
  • Disk Imaging
  • Reduced the vertical space used by the controls to support lower resolutions
  • EmailViewer
  • Can now re-scan for recovered e-mails after cancelling a previously started scan
  • Removed 'Tools' menu
  • Misc
  • Help updates for system information



Veranderingen voor v3.2.1001 - v3.2.1002

  • Create Index
  • Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
  • Fixed many common errors and warning messages and file recognition
  • Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
  • Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index
  • Added fix for "Core engine is not responding" when indexer was stuck in "Finishing" stage due to large index or slow disk write
  • Email Viewer
  • Added right-click option to jump to the message ID of an e-mail file
  • Added progress details when scanning for deleted e-mails
  • fixed bug with deleted e-mails not being displayed in the EmailViewer
  • Fixed 'assert' error appearing when Subject field is missing in MIME headers
  • Index Log Viewer
  • Fixed crash when trying to view a previous index log while an indexing job is running.
  • Recent activity
  • Fixed an issue when trying to get IE10+ URLs from a read only drive
  • Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach IE10 database" error in some cases
  • Fixed an "autofill_dates" missing error caused by a Chrome update removing this table
  • Fixed a "malformed" database error when getting Chrome cookie information
  • Fixed some display and sorting issues with shellbag items on the file details tab
  • Registry Viewer
  • Fixed a crash when opening a corrupt registry file
  • Misc
  • exFAT partitions are now properly detected as opposed to being identified as "Unknown"



Veranderingen voor v3.2.1000 - v3.2.1001

  • Case Manager
  • E-mail attachment paths now include the attachment index number following the file name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple attachments with the same name.
  • Create Index
  • Fixed some bugs relating to email attachments
  • New URL format for attachments
  • Fixed bugs with indexing attachments from mbox (.eml) in nested format
  • Fixed bug with not indexing From/To details for Mbox attachments
  • Fixed bug with indexing attachment titles incorrectly
  • Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear at end of indexing
  • Email Viewer
  • When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file type, the function will try opening the file with each format until successful
  • Fixed potential heap corruption when exporting an e-mail with a large text body
  • Fixed possible memory leak
  • Recent Activity
  • Added shellbag item from registry files collection and display
  • Fixed a date conversion issue with Google chrome downloads date
  • Search Index
  • Fixed some results not being filtered into the correct tab (eg. images in e-mail attachments)
  • E-mail attachments with the same name can now be distinguished properly
  • When doing bulk adding of items to case, user is no longer prompted when the item already exists in the case after checking the 'Repeat action' checkbox.
  • Fixed various problems related to adding nested attachments/e-mails/archives to case.
  • For E-mail paths that do not have a message ID in the path, a message ID of "0" is assigned
  • Fixed issues with the case flags not appearing for some items
  • Misc
  • Fixed some date formatting bugs introduced in the previous build that were causing dates to appear blank



Veranderingen voor v3.1.1007 - v3.2.1000

  • Create Index
  • Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
  • Added indexing of From/CC/To etc. addresses from MSG attachments.
  • Added missing support for indexing headers for MSG files
  • The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed
  • Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
  • Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
  • Fixed bug with indexing attachments from MSG files (failing to recognize file type properly)
  • Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
  • Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
  • Case Manager
  • User can now specify whether logging is enabled/disabled when creating or editing a case
  • Error message is displayed if the log file is corrupted or tampered with
  • When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created
  • When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
  • E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name
  • Case Log
  • Supplemental log entries added across all modules
  • When logging is disabled, controls are now disabled and message is shown to the user
  • Create/Verify Hash
  • Fixed drive drop down list to include Case devices
  • CSV Exports
  • Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates
  • Deleted Files
  • Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash
  • Unallocated cluster information now being used for mounted devices
  • Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path)
  • The number of files that were not saved due to reallocation now displayed
  • Improved performance of saving deleted NTFS files
  • Deleted files stored in multiple MFT records are now being handled
  • Proper stream names are being used when restoring a deleted NTFS file
  • Disk Imaging
  • Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab
  • Added check for no physical disk selected
  • The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO
  • Event Info
  • Bug fix, stripped trailing space character from event title.
  • Email Viewer
  • A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent
  • Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
  • File Name Search
  • Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable
  • Hash sets
  • Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation)
  • Password Recovery (Windows Login Passwords)
  • Added cached domain users to recovery for local drives
  • Fixed a crash that could happen when recovering cached domain users
  • Recent Activity
  • Added timestamps to WLAN items for the associated XML profile or registry key (where available)
  • Bug fix, export event to CSV will now include the item's title.
  • Columns will remember their widths when filtering, sorting and navigating to different activity types.
  • Search Index
  • Added To/From/CC information to attachment output when searching an index
  • Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments
  • Fixed bug with broken links in search index results for files containing percent encoding in filename
  • System Information
  • Added cached domain users to "Get User Info (registry)"
  • ThumbCache Viewer
  • Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view
  • User Interface
  • List/tree views across OSF now shows the selected item regardless of when the control loses focus
  • Fixed drawing issues when minimizing navigation buttons
  • Removed flickering when resizing window
  • Fixed buttons not being displayed when resizing window
  • Fixed drawing issues when resizing file/folder popup dialog
  • WinPEBuilder
  • Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
  • Misc
  • Updated help for new Case Activity Log section to describe logging feature
  • Updated help with info on user editable file carving configuration file, osf_filecarve.conf
  • Updated help to mention timezone in case management
  • Updated System information library



Veranderingen voor v3.1.1006 - v3.1.1007

  • Case Log
  • Added preliminary implementation of Case activity logging
  • Case Management
  • Made add note window resizable
  • Added veritcal and horizontal scrollbars to Add note dialog, allowing more data to be saved and making it easier to format the notes.
  • Deleted files
  • Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to different threads sharing same drive handle)
  • Hash Sets
  • Fixed bug in deleting hash set from Tree View
  • Web Browser
  • Fixed missing URL info when adding web snapshot to case
  • WinPEBuilder
  • Can pass in .cfg file to preload some values of WinPEBuilder.exe
  • Install to USB
  • Updated GUI. If installing to USB Drive, then only USB location will be allowed. If creating a bootable device, then any folder is allowed. OSForensics will prefill the output destination of OSForensics (via WinPE Builder config file) when launching WinPE Builder (Requires WinPE Builder 1.0.107 and up).
  • Misc
  • Updated System information library



Veranderingen voor v3.1.1005 - v3.1.1006

  • Case Manager
  • Before deleting search indexes they will now be unloaded if currently in use rather than displaying an error message
  • Email Viewer
  • Added check for if the recipient address is in X400 format. If so, try to obtain the SMTP Address instead.
  • File Indexing
  • Fixed a crash caused by partially compressed NTFS drives
  • Fixed bug with missing title and from addresses from index
  • Fixed bug with PST files not opening from search results due to incorrect/corrupt path
  • Fixed bug with x400 email address format when smtp format available for recipients.
  • Password Recovery
  • Windows login passwords: Added recovery of cached domain users, updated help file to match new UI and functions.
  • Install to USB
  • Fixed a bug where if the initial start failed (eg invalid target directory) the disabled buttons were not re-enabled, causing OSF to become un-usable
  • Misc
  • Updated error message when trying to copy files to clipboard from non supported devices



Veranderingen voor v3.1.1004 - v3.1.1005

  • File Indexing
  • Updated Zoom indexer to fix some crash issues
  • Bug fixes when indexing DOC and XLS files inside ZIP files
  • Install to USB
  • WinPEBuilder will launch with option to format USB drive filesystem as NTFS.
  • Password Recovery (Browser Passwords)
  • Fixed a bug with chrome and opera password recovery where the wrong password could be displayed in some cases (out by 1 place in the list) or no password might be displayed despite not being blacklisted
  • System Information
  • Fixed a bug that was displaying an error message when trying to run a custom command on the system information tab when using a selected drive



Veranderingen voor v3.1.1001 - v3.1.1004

  • Email Viewer
  • Added handling of rfc2047 encoding in subject/address fields of MIME headers
  • Fixed buffer overflow in status message while recovering deleted e-mails in PST files
  • Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to case
  • Fixed a bug with saving embedded message in PST/OST files as .msg. LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream instead of storage
  • ESEDB Viewer
  • Fixed population of known ESEDB files to use localised folder names instead of hard-coded locations
  • File Indexing
  • Pre-scanning can now be cancelled while scanning PST messages
  • Updated Zoom indexer to fix some crash issues
  • Updated Zoom Office XML plugin
  • Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from 255 characters to 65,535 characters.
  • During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not updating properly when > 2GB
  • Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file with many attachments
  • Fixed bug with only using last filename for all attachments of the same .MSG file
  • Fixed bug with losing generated body text with attachment filenames "Attachment(s): ... , ..." for .MSG file indexed.
  • Fixed bugs with indexing plain text emails in .MSG files
  • Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode corruption)
  • Fixed bug with possible Unicode string corruption when longer than available buffer (with languages such as Chinese with 4 char MB UTF-8 characters)
  • Fixed a bug with files sizes not being indexed in offline mode
  • Fixed a potential crash caused by long URLS
  • Fixed a crash during pre-scanning when indexing unallocated clusters
  • Fixed bug with search index failing on old format index files after a search with new format index files.
  • Fixed DOCX plugin that split words incorrectly due to revision history
  • Fixed crash bug with XLS files with invalid cell.templateID values
  • Import Hash
  • Fixed String/Buffer overflow during import progress updates (if import folder name is too long) by increasing string size
  • Internal Viewer
  • If viewing an excel document that is password protected it will now display a relevant error message
  • Password Recovery
  • Shadow copy now used if registry file is locked
  • Recent Activity
  • Now attempting to get the localised name for the "Documents and Settings" folder from the registry when starting a recent activity scan so more information will be retrieved on non-english Windows installations.
  • Shadow copy now used if registry file is locked
  • Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not using live acquisition scan option).
  • Fixed scanning of system registry hives when no user hives are found
  • Search Index
  • Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results
  • System Information
  • Shadow copy now used if registry file is locked
  • ThumbCache Viewer
  • When looking up default Windows.edb location, now using localised folder names instead of hard-coded locations
  • WinPE Builder
  • Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command line argument '-f'. Not enabled by default, since FAT32 supports booting both BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside on FAT32 partition. If they are not on FAT32 the system may not see the device as bootable.)
  • Misc
  • Fixed bug with handling of NTFS files with mix of compressed/non-compressed fragments
  • Help file updates



Veranderingen voor v3.1.1000 - v3.1.1001

  • Case Management
  • Fixed potential deadlock after clicking 'Cancel' when items are being added to the case
  • Fixed 'To' field missing in e-mail case properties
  • Fixed 'From', 'To', 'Subject' fields missing in case report
  • Removed check for empty e-mail headers (From, To, Subject, etc...) when adding e-mail to case. Adding warning to log file instead.
  • Email Viewer
  • When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated. Currently, only HTML/text is supported.
  • File Indexing
  • Indexer updated to the latest Zoom Engine
  • Fixed a bug when indexing email attachments with accent characters in the folder path
  • Fixed infinite loop bug when indexing corrupted ZIP files
  • Fixed a crash bug with indexing MSI files (and any other files that can be misidentified as DOC)
  • Added error message when handling bad ZIP files./li>
  • Added default handling of .msi files as binary (filename only) format.
  • Recent Activity
  • Will now return files/folder from user's Recent Item folder (shell folder)
  • Added Support for Word 2013 Reading Locations to Recent File List Item
  • Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List
  • Added Adobe Acrobat Reader MRU locations
  • Now also parsing the subkeys to Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx is file extension to retrieve more information
  • Added Right Click Menu Option - Copy Row to Clipboard
  • GUI Fixes, Help File Link Update
  • Added Filter for text search of all fields for an activity type
  • Installed Programs, if there is no program name, will return registry location as the title.
  • Registry Viewer
  • When opening key paths containing SYSTEM\CurrentControlSet which is a volatile symbolic link, replaced with 'ControlSet00n' where n is the current control set
  • Search Index
  • Improved performance of adding PST e-mail/attachments to case by using the same e-mail file handle, instead of opening and closing for every e-mail message



<<Terug naar software beschrijving